OK, then what we do if something weird happens in production and we want to see the errors, but we don’t want others to see them? [...] Maybe PHP could have some setting like display_errors=local which would enable display_errors for requests originating from developer machine but would disable it when outsider accesses it?

Richard's solution checks the HTTP_HOST value of the current request and, based on whether it's marked as "live" or "dev", uses a ini_set to change the display_errors setting to true/false.